I have been doing hard testing on port mirroring wit iptables -tee. My starting point has been the related topics in this forum (thanks!). My intention is to capture (mirror) all traffic from one host (RPi 192.168.1.99) to internet to a testing box (ubuntu 192.168.1.100).
Usually this is done with iptables -tee command affecting the 'mangle' table for PREROUTING and POSTROUTING chains, to clone incoming and outgoing packets.
In my testing, I have discovered that the iptables rules must be set carefully, in order to avoid duplicating packets (if we don't specify source/destination ip's, the packets from LAN to internet will be cloned by both PRE and POSTROUTING rules, and since both have the same source ip (192.168.1.99 in my test) there are DUP packets in capture (the answers in this forum are correct, because they specify src ip address in PRE- rule and dst ip in POST- rule, so, no DUP's).
My problem is that, when performing the capture in the gateway box, only the initial 3-way handshake TCP connection is captured. Later, I have learnt that this is because conntrack is in action.
I have tested doing the capture in mangle and raw tables in PREROUTING, but the behavior is the same. I had expected, that clonning the packets at raw table of prerouting, all traffic would be cloned, but is not.
My question is: Is this behavior what is being expected?, that is, Conntrack takes precedence over iptables, and once a conntrack is saved, no traffic transverses iptables? If so, how can clone all traffic to the testing box?
I attach a image capture from the testing box of a web request from the RPi to a web page, with the following iptables rules, note that all traffic is SYN /ACK (also traffic to google is captured, due to using Chromium, but it is also SYN /ACK)
--->PREROUTING------------------>[ROUTE]--->FWD---------->POSTROUTING-------------->
1st contrack or raw??
2nd contrack or raw??
3rd mangle
4th nat
Thanks!
Usually this is done with iptables -tee command affecting the 'mangle' table for PREROUTING and POSTROUTING chains, to clone incoming and outgoing packets.
iptables -t mangle -A PREROUTING -j TEE --gateway 192.168.1.100
iptables -t mangle -A POSTROUTING -j TEE --gateway 192.168.1.100
iptables -t mangle -A POSTROUTING -j TEE --gateway 192.168.1.100
In my testing, I have discovered that the iptables rules must be set carefully, in order to avoid duplicating packets (if we don't specify source/destination ip's, the packets from LAN to internet will be cloned by both PRE and POSTROUTING rules, and since both have the same source ip (192.168.1.99 in my test) there are DUP packets in capture (the answers in this forum are correct, because they specify src ip address in PRE- rule and dst ip in POST- rule, so, no DUP's).
My problem is that, when performing the capture in the gateway box, only the initial 3-way handshake TCP connection is captured. Later, I have learnt that this is because conntrack is in action.
I have tested doing the capture in mangle and raw tables in PREROUTING, but the behavior is the same. I had expected, that clonning the packets at raw table of prerouting, all traffic would be cloned, but is not.
My question is: Is this behavior what is being expected?, that is, Conntrack takes precedence over iptables, and once a conntrack is saved, no traffic transverses iptables? If so, how can clone all traffic to the testing box?
I attach a image capture from the testing box of a web request from the RPi to a web page, with the following iptables rules, note that all traffic is SYN /ACK (also traffic to google is captured, due to using Chromium, but it is also SYN /ACK)
iptables -t raw -A PREROUTING -s 192.168.1.99 -j TEE --gateway 192.168.1.100
iptables -t raw -A PREROUTING -s 217.160.0.65 -j TEE --gateway 192.168.1.100
iptables -t raw -A PREROUTING -s 217.160.0.65 -j TEE --gateway 192.168.1.100
--->PREROUTING------------------>[ROUTE]--->FWD---------->POSTROUTING-------------->
1st contrack or raw??
2nd contrack or raw??
3rd mangle
4th nat
Thanks!